Implementation of EU Regulation on Data Protection and of the Cybersecurity Act2018-11-28T14:58:58+00:00

GDPR / CYBERSECURITY

Securing network and information systems in the European Union and protecting data are essential to keep the online economy running while protecting the citizens’ rights. The Internet of Things (IoT) is already a growing reality with the expectation of having tens of billions of connected digital devices in the EU by 2020[1].

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on the protection of natural persons’ personal data and on the free movement of such data. Implanted at European level in May 2018, this regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital Single Market and doing away with the current fragmentation and costly administrative burdens.

To ensure responsive reactions to new market developments and responses to public policy demands, EA promotes the use of accreditation by National Accreditation Bodies and introduces certification as a means to demonstrate compliance with data protection requirements. Discussions have started in Member States involving all interested parties with a view to introducing accreditation in the scheme.

In parallel, 86% of Europeans believe that the risk of becoming a victim of cybercrime is increasing[2]. Sectors like transport, energy, health and finance have become increasingly dependent on network and information systems to run their core businesses.

In that context, EA also supported the European Commission regarding the proposed new regulation concerning ENISA, the EU Agency for Network and Information Security, the «EU Cybersecurity Agency», on Information and Communication Technology cybersecurity certification (‘’Cybersecurity Act’’). Indeed, the growth of the cybersecurity market in the EU – in terms of products, services and processes – is held back in a number of ways, including the lack of a cybersecurity certification scheme recognized across the EU.

Certification, which consists of the formal evaluation of products, services and processes by an independent and accredited body against a defined set of criteria standards leading to the issuing of a certificate indicating conformance, plays an important role in increasing trust and security in products and services. While security evaluation is quite a technical area, certification serves the purpose of informing and reassuring purchasers and users about the security properties of ICT (Information and Communication Technologies) products and services that they buy or use.

This new Regulation will enhance harmonization of certification schemes, related security requirements and evaluation criteria across Member States and sectors by providing voluntary certification of ICT products and services and related accreditation from Conformity Assessment Bodies. The resulting certificate will be recognized in all Member States and will rely on the international standards, making it easier for businesses to trade across borders and for purchasers to understand the security features of a product or service.

[1] Definition of a Research and Innovation Policy Leveraging Cloud Computing and IoT Combination, IDC and TXT, study carried out for the European Commission, 2014

[2] Eurobarometer on Cybersecurity (EBS 464)

Further information about the use of accreditation laboratory and Cybersecurity on :

Document ICT certification laboratories